From 8bdd01ea2b6350399c70d2a32bcce6cedfed500f Mon Sep 17 00:00:00 2001 From: brynet Date: Sun, 26 Aug 2018 18:26:51 +0000 Subject: [PATCH] Unveil pflogd(8). Similiar to florian@'s recent changes to ifconfig(8), the priviledged parent cannot be pledged due to certain ioctls, but we can use unveil(2) to lock down its access to the filesystem. To be able to use hostnames/dns in tcpdump-like filter expressions, we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the kernel bypass for pledge("dns") Additionally, we need to unveil /dev/bpf "r" and the output log file "rwc". The unpriviledged child is pledged "stdio recvfd" and thus does not need any unveils. With feedback/testing from florian@, deraadt@ ok florian@ deraadt@ --- sbin/pflogd/privsep.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/sbin/pflogd/privsep.c b/sbin/pflogd/privsep.c index e0ea2026bd3..c0549727356 100644 --- a/sbin/pflogd/privsep.c +++ b/sbin/pflogd/privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: privsep.c,v 1.31 2018/08/26 18:24:46 brynet Exp $ */ +/* $OpenBSD: privsep.c,v 1.32 2018/08/26 18:26:51 brynet Exp $ */ /* * Copyright (c) 2003 Can Erkin Acar @@ -131,6 +131,19 @@ priv_init(int Pflag, int argc, char *argv[]) setproctitle("[priv]"); + if (unveil("/etc/resolv.conf", "r") == -1) + err(1, "unveil"); + if (unveil("/etc/hosts", "r") == -1) + err(1, "unveil"); + if (unveil("/etc/services", "r") == -1) + err(1, "unveil"); + if (unveil("/dev/bpf", "r") == -1) + err(1, "unveil"); + if (unveil(filename, "rwc") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + #if 0 /* This needs to do bpf ioctl */ BROKEN if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) == -1) -- 2.20.1